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SECURE DATA TRANSFER BETWEEN 
A CLIENT AND A BACK-END RESOURCE 

Technical Field and Background Art 
5 This application claims the benefit of U.S. Provisional Application 

no. 60/1 15,835 filed January 14, 1999. 

In an on-line system, when data is retrieved from a remote resource, 
each intermediate point through which it travels may conceivably access the 
data. Even if such data is retrieved through a secure connection with a web 
1 0 server, the web server itself will be privy to the data. While the web server 
is beneficial in that it acts as intermediary between a client and a remote 
resource, it would be advantageous to utilize the services of the web server 
without having to compromise the data. 

15 Brief Description of the Drawings 

Figure 1 is a block diagram of a system affording secure data transfer; 

and 

Figures 2 and 3 are flow charts of the operation of the system of 
Figure 1 . 

20 

Modes for Carrying Out the Invention 

Secure transfer of data between a client and back-end resources over 
the Internet can be achieved in part by establishing a secure path between 
the two points. Formatting and protocol issues not requiring access to 
25 secure data can be delegated to conventional elements in the path. 

In one configuration, illustrated in the block diagram of Figure 1, a 
client 10, using an Internet browser 12 equipped with the means necessary 
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to create a secure session, accesses a back-end system 20 on which a 
back-end resource 22 resides, through a client-accessible system 30. The 
back-end resource 22 may be a database or some other source of data or 
device that the client wishes to access. 
5 The interconnection 14 between the client 10 and the client- 

accessible system 30 can be over a network such as the Internet or through 
some other medium. Similarly, the interconnection 16 between the 
client-accessible system 30 and the back-end system 20 can be over a 
network such as the Internet or through some other data link. 

1 0 The data transfer process can be described in two parts: a download 

procedure (Figure 2), where data is transferred from the back-end resource 
to the client, and an upload procedure (Figure 3), where data travels from the 
client to the back-end resource. Either can be used alone, in concert with 
each other, or with other processes as appropriate. 

15 Download Procedure 

As shown in Figure 2, the client 10 can initiate a download of 
information by sending a request to the web server 32, which passes the 
request on to the enabler 24. In response to the request, the enabler 24 
issues one or more resource locators and passes them to the web server 32. 

20 Typically, these resource locators are addresses that point to data resources 
on the back end system 20. The web server 32 treats the resource locators 
it receives from the enabler 24 as data. 

The web server 32 assembles a web page placing the resource 
locators in the web page where it would otherwise insert data. It then sends 

25 the formatted web page to the browser 1 2 at the client 1 0. 

As the web page loads in the browser 1 2, the resource locators cause 
the browser 12 to access the back-end system through a router 34 on the 
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client-accessible system 30. After optionally authenticating the client 1 0, the 
enabler 24 will send the browser 12 the appropriate data in response to the 
resource locator, and the browser 12 will simply insert each datum in the 
formatted page at the location dictated by the physical location of each 
5 resource locator on the page. The path between the browser 12 and the 
enabler 24 through the router 34 is secure, having invoked a secure protocol 
such as SSL ("secure socket layer"). 

The data has thus been sent from the back-end resource 20 to the 
browser 12 via a path secure with respect to the elements of the 
10 client-accessible system 30 and interconnections 14 and 16, i.e., bypassing 
the web server 32. 

Upload Procedure 

In an upload, as shown in Figure 3, the client 1 0 desires to send data 
to the back-end resource 22, but in a manner in which the data is not 

15 accessible or readable by the client-accessible system 30 or 
interconnections 14 and 16. To do so, the client 10 establishes a secure 
session with the enabler 24 through the router 34, optionally insuring 
authentication of the back-end system 20 and/or the client 10. The client 10 
then sends the data to the enabler 24 over the secure path. 

20 The enabler 24 does not have a service request and as such cannot 

utilize the data at this point. Therefore, the data is stored on the back-end 
system 20 for later retrieval and, in response to the original message, the 
enabler 24 issues a redirect command and a resource locator and passes 
them back to the client 10 through the router 34. This may occur through a 

25 secure path. For example, the redirect can assume the form: 
https://ws:443/arg:xyz, where ws:443 designates the secure port 443 on the 
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web server 32 and "xyz" is the resource locator that the web server 32 will 
use when referring to the data earlier passed to the enabler 24. 

The client 10 now executes the redirect command, establishing a 
session with the web server 32. As part of executing the redirect command, 
5 the client 10 sends the resource locator to the web server 32. Again, this 
can be done over a secure path. The web server 32 in turn generates a 
service request for the back-end system 20, using the resource locator in lieu 
of the actual data, and passes this to the enabler 24 on the back-end 
system 20. When the enabler 24 receives the resource locator, the 

10 enabler 24 will fetch the data corresponding to the resource locator and 
associate it with the service request. 

As required previously, authentication can be performed using any 
method including the method described in provisional patent application 
No. 60/106,290, titled "Secure Authentication for Access to Back-End 

1 5 Resources," and filed October 30, 1 998, incorporated by reference herein. 
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What is claimed is: 

1 . A method for downloading data from a back-end resource to a 
client via network-based client-accessible systems containing web servers, 
comprising the steps of: 

5 sending a client-originated request from the client to the back-end 

resource via a client-accessible system; 

issuing at least one back-end resource locator and passing it to a web 

server; 

formatting a web page with the resource locators and passing it to the 
10 client; and 

reading the web page and retrieving the data over secure connections 
according to the resource locators. 

2. A method as set forth in claim 1 , where the step of retrieving 
15 the data over secure connections according to the resource locators 

comprises the step of bypassing the web server. 

3. A method as set forth in claim 1 , where the step of requesting 
retrieval of the data comprises the step of authenticating the client. 

20 

4. A method for uploading data from a client to a back-end 
resource via network-based client-accessible systems containing web 
servers, comprising the steps of: 

25 establishing a secure session between the client and the back-end 

resource via a client-accessible system; 
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sending data from the client to the back-end resource via the secure 

path; 

issuing a redirect command and a resource locator, and passing them 
from the back-end resource to the client; 
5 executing the redirect command and establishing a session between 

the client and the web-server; 

sending the resource locator from the client to the web-server; 

sending the resource locator from the web-server to the back-end 
resource; and 

1 0 locating the data at the back-end resource using the resource locator. 

5. A method as set forth in claim 4, where the step of sending data 
from the client to the back-end resource via the secure path comprises the 
step of bypassing the web server. 



15 



20 



6. A method as set forth in claim 4, where the step of establishing 
a secure session between the client and the back-end resource via a client- 
accessible system comprises the step of authenticating the back-end 
resource and/or the client. 



7. A system for downloading data from a back-end resource to a 
client via network-based client-accessible systems containing web servers, 
comprising: 

a back-end system comprising 
25 a back-end resource; and 
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an enabler, the enabler comprising means for generating at 
least one resource locator, the resource locator comprising a redirect 
command corresponding to the back-end resource; and 
at least one network-based client-accessible system comprising 
5 at least one web-server, the web-server comprising 

means for assembling a web page; and 
means for incorporating a resource locator in the web 
page; and 
a router comprising 

10 at least one port corresponding to a redirect command 

in a resource locator; 

means for establishing a secure path with the client; and 
means for communicating with the back-end resource. 

15 8. A system as set forth in claim 7, where the enabler further 

comprises means for authenticating the client. 

9. A system for uploading data from a client to a back-end 
resource via network-based client-accessible systems containing web 
20 servers, comprising: 

a back-end system comprising 

a back-end resource; and 

an enabler, the enabler comprising means for generating at 
least one resource locator, the resource locator comprising a redirect 
25 command corresponding to the back-end resource; and 

at least one network-based client-accessible system comprising 
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at least one web-server, the web-server comprising means for 
communicating with the client and the back-end system; and 

a router comprising means for providing a secure connection 
between the client and the back-end system. 

10, A system as set forth in claim 9, further comprising means for 
authenticating the client. 
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DOWNLOAD 
PROCEDURE 



CLIENT SENDS REQUEST FOR DATA 
TO WEB SERVER; WEB SERVER PASSES 
REQUEST TO ENABLER 
ON BACK-END SYSTEM 



ENABLE^ ISSUES RESOURCE LOCATOR(S) 
AND PASSES IT TO WEB SERVER 



WEB SERVER FORMATS AND SENDS 
WEB PAGE WITH RESOURCE LOCATORS 
WHERE DATA WILL BE INSERTED 



CLIENTS RECEIVES FORMATTED WEB PAGE 
FROM WEB SERVER AND REQUESTS 

RETRIEVAL OF RESOURCES 
INDICATED BY RESOURCE LOCATOR(S) 



I 



SECURE PATH IS ESTABLISHED 
FROM CLIENT THROUGH ROUTER 
TO ENABLER ON BACK-END SYSTEM 



BACK-END SYSTEM SENDS DATA 
TO CLIENT OVER SECURE PATH 



CLIENT BROWSER INSERTS DATA FROM 
BACK-END SYSTEM INTO WEB PAGE 



FIG. 2 



BNSDOCiD; <WO 0041S3SA2.I > 



WO 00/41535 



PCTAJSOO/00701 



UPLOAD 
PROCEDURE 



CLIENT ESTABLISHES SECURE SESSION 
WITH ENABLER VIA ROUTER 



CLIENT SENDS DATA TO ENABLER 
VIA SECURE PATH 



ENABLER ISSUES REDIRECT COMMAND 
AND RESOURCE LOCATOR 
AND PASSES THEM TO CLIENT 



CLIENTS EXECUTES REDIRECT COMMAND 
AND ESTABLISHES SESSION WITH 
WEBSERVER 



CLIENT SENDS RESOURCE LOCATOR 
TO WEB SERVER 



WEB SERVER SENDS RESOURCE 
LOCATOR FORMATTED AS SERVICE 
REQUEST TO ENABLER ON BACK-END SYSTEM 



BACK-END SYSTEM (ENABLER) LOCATES 
PREVIOUSLY RECEIVED CLIENT DATA 
USING RESOURCE LOCATOR 



FIG. 3 
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